Last week the Seventh Circuit reinstated the Neiman Marcus data breach class action, holding that plaintiffs had satisfied Article III’s standing requirements based on at least some of the injuries they alleged. In doing so, the Seventh Circuit became the first federal court of appeals to rule on a challenge to the standing of purported data breach victims in light of the Supreme Court’s decision in Clapper v. Amnesty International, 133 S. Ct. 1138 (2013), and diverged from the growing majority of federal district courts that have held similar allegations are insufficient to confer standing.
In Remijas v. Neiman Marcus Group, LLC, a putative class of Neiman Marcus customers brought claims against the company for negligence, breach of implied contract, unjust enrichment, unfair and deceptive business practices, invasion of privacy, and violation of multiple state data breach laws as a result of a 2013 malware attack that exposed approximately 350,000 debit and credit card numbers. The plaintiffs alleged several types of injury as a result of the data breach, including in relevant part: (1) an increased risk of future fraudulent charges, (2) greater susceptibility to identity theft; (3) lost time and money resolving fraudulent charges; and (4) lost time and money protecting themselves against the risk of future identity theft. Notably, the plaintiffs also alleged that at least 9,200 of the impacted cards had already experienced fraudulent charges.
Neiman Marcus moved to dismiss the complaint for lack of standing, and on September 16, 2014, the district court granted the motion and dismissed the class action complaint. Remijas v. Neiman Marcus Group, LLC, No. 14-cv-1735, 2014 U.S. Dist. LEXIS 129574 (N.D. Ill. Sept. 16, 2014). The district court, citing Clapper, reasoned that the plaintiffs’ allegations of injury were not sufficiently imminent and “certainly impending” for purposes of standing, and that any fraudulent charges incurred were reimbursed and the incidental related costs to those customers were de minimus. This is consistent with the majority of districts courts that have considered and rejected similar allegations of increased risks of identity theft and fraudulent charges and time and money spent monitoring credit. See, e.g., Green v. eBay Inc., No. 14-1688, 2015 U.S. Dist. LEXIS 58047, *10-12 (E.D. La. May 4, 2015) (collecting cases and noting that “[f]ollowing Clapper, the majority of courts faced with data breach class actions . . . [have] found that the mere increased risk of identity theft or identity fraud alone does not constitute a cognizable injury unless the harm alleged is certainly impending,” and dismissed the complaints for lack of Article III standing).
On appeal, however, the Seventh Circuit came to a different conclusion. The court distinguished Clapper as a case in which plaintiffs “could not show that their communications with suspected terrorists were intercepted by the government,” since they merely “suspected that such interceptions might have occurred.” Remijas, 2015 U.S. App. LEXIS 12487 at *10 (emphasis in original). In contrast to Clapper, the Seventh Circuit held the plaintiffs in Remijas faced an “objectively reasonable likelihood” of imminent fraudulent charges and identity theft – asking “Why else would hackers break into a store’s database and steal customers’ private information?” – analogizing the case to the Adobe data breach addressed in In re Adobe Sys., Inc. Privacy Litig., 66 F. Supp. 3d 1197 (N.D. Cal. 2014), and noting that “so far” fraudulent charges had already appeared on 9,200 of the cards. Id. at **11-13 (emphasis in original). The court also held that plaintiffs’ allegations of mitigation expenses incurred dealing with and protecting themselves against future identity theft and fraudulent charges qualified as a concrete injury.
While potential data breach plaintiffs and their attorneys are understandably encouraged and emboldened by the Seventh Circuit’s decision, the opinion won’t be the last word on the standing of consumer data breach class action plaintiffs. As data breach litigation continues to increase, other federal courts of appeal are likely to address the standing issue. In fact, another data breach class action dismissal on the basis of standing is currently on appeal in the Seventh Circuit. See Lewert v. P.F. Chang's China Bistro, Inc., Nos. 14-cv-4787, 14-cv-4923, 2014 U.S. Dist. LEXIS 171142 (N.D. Ill. Dec. 10, 2014), appeal docketed, No. 14-3700 (7th Cir. Dec. 12, 2014). The Seventh Circuit has asked the parties to file statements of positions in light of the ruling in Remijas, and could use a decision in P.F. Chang’s to further explain its position on standing and the extent of its holding in Remijas. For example, in Reminjas the allegation was that at least 9,200 cards had already incurred fraudulent charges, making the risk of imminent harm to the putative class members much less speculative than if there had yet to be any fraudulent charges or identity theft, as is often the case with data breach class action complaints. The Seventh Circuit also made a point to distinguish Remijas as “going far beyond” the allegations in Robins v. Spokeo, Inc., which is the case currently pending before the Supreme Court that will likely have significant implications on the ability of plaintiffs to bring data breach class actions premised solely on statutory violations.
- Cybersecurity and Privacy Law
- Cybersecurity Regulation
- Cyber Insurance
- Privacy Laws
- Data Breach
- Class Action Litigation
- General Data Protection Regulation
- Mergers & Acquisitions
- Incident Response Plan
- Information Governance
- Corporate Law
- Federal Trade Commission
- Seventh Circuit
- Department of Justice
- Can’t We All Get Along in the Cyber Sandbox?
- California's New Privacy Law is Coming - Are You Ready?
- Gearing up for National Cybersecurity Awareness Month: KMK Hosts Third Annual Cybersecurity & Privacy Seminar
- Ohio Data Protection Act - Safe Harbor for Businesses in Ohio
- Ohio’s Data Protection Act: What You Need to Know
- September 2018 Was a Busy Month for Data Privacy
- GDPR - 90 Days Later
- GDPR: What We're Learned So Far and What to Expect
- GDPR: Less Than 100 Day and Counting to "G-Day" - Here's What You Need to Know
- SEC Issues Guidance on Cybersecurity Disclosures